It started with a misconfigured CI runner. A developer had a Jenkins pipeline building Docker images. The container ran as root. A dependency had a known RCE vulnerability. When the exploit landed, the attacker had root inside the container, and because that process was root, they also had root on the host. They pivoted to the secrets store, grabbed credentials, and spent three weeks inside the network before anyone noticed. ...
Update (January 2026): The package versions in this tutorial were current as of March 2024. While the concepts and approach remain valid, you should check for newer versions of the tools mentioned (Hadolint, Terrascan, pre-commit hooks, etc.). Most importantly, update actions/checkout@v3 to actions/checkout@v4 in your workflows - v3 uses deprecated Node.js 16. As I continue this series on CI/CD pipeline security, it is time to now work on securely building and deploying our application. This post picks up where my Build Secure Python Pipelines: Adding Tests and Hooks in Action post left off. ...